[ale] SSH Cisco Networking Issue

[Omar Chanouha]

> Most SSH
>packets are much smaller than your MTU, but a large amount of data could
>well exceed this.  If the firewall is dropping fragments, you would get
>a behavior similar to what you've described.

AMAAAAAAAAAAZINGGGGGGGG!!!!!!!!!!!!!

David, you sir are nothing shy of the man!!!!!!!!!

I throttled the MTU on my server, and now I am able to send/recieve as
much data as I want!

This brings up another question about MTU size, but I'll make another
thread for that.

Thanks again!

-O

On Thu, Sep 16, 2010 at 11:08 PM, Omar Chanouha <ofosho at gatech.edu> wrote:
> I am actually not sure what I mean by "Cisco SSH Rule". I was actually
> hoping someone here would know. The IT guy told me that he opened port
> 22 manually, which did not work. But then, rather than opening a port,
> he said he allowed the SSH application. I interpreted that as making
> the rule "allow SSH traffic", rather than "allow port 22 traffic". I
> honestly have no Cisco/Firewall experience, so I don't know. But, from
> the sound of it, this guy doesn't really have too much experience
> either. And, they are a MSoft oriented company, so of course the fact
> that it isn't working is not his fault, but that of Linux.
>
> I will ask him about the MTU, but if the MTU of the firewall is set
> improperly wouldn't that also effect the SSH packets from the Cisco
> routers? Or, perhaps that SSH server only sends packets in small
> chunks?
>
> Just guessing here, and hoping my boss doesn't get in my face about
> running Linux. That, of course, was my choice.
>
> -O
>
> On Thu, Sep 16, 2010 at 6:17 PM, David Tomaschik <david at tuxteam.com> wrote:
>> On 09/16/2010 03:05 PM, Omar Chanouha wrote:
>>> Hello All,
>>>
>>>     Sorry for the long email, but I am having an issue with the IT guy
>>> at my office, and this problem is out of my league. I set up a
>>> LAMP/SSH server to host the intranet where I work. I am back at Tech
>>> now, and need a way to connect to the server (Miami) to make changes.
>>> I told the IT guy to open a port for me in the firewall so I can get
>>> to the SSH server. Easy enough right?
>>>
>>> So, I can log into the server *.126, and I can send and recieve data
>>> from it, HOWEVER if I try to receive large (> a paragraph) worth of
>>> data the client hangs. The firewall still registers a connection, and
>>> the client will just hang forever(ctrl-c does nothing, I have to close
>>> the terminal). I would imagine this means it is waiting for data that
>>> is not going to get there, and is also not receiving a disconnect
>>> message.
>>>
>>> Example:
>>>
>>> o at remote:~$cat smallfile
>>> Hello World!
>>> o at remote:~$cat bigfile[no response]
>>>
>>> the same would apply to listing(ls) a small directory vs a large one.
>>> Or even TAB completing a long list vs a short one.
>>>
>>> At address *.126 there are multiple machines, so when I connect to
>>> *.126 I get port forwarded to another machine via NAT. Just as a test,
>>> we made the relationship 1-1 at address *.124 (another ip we own) and
>>> we made the firewall rule completely open at this address. The server
>>> then worked. The IT guy then decided to make the rule more strict by
>>> only allowing connection on port 22, and we went back to the previous
>>> result. He then put in the Cisco SSH rule (rather than just opening
>>> port 22) and it worked again.
>>>
>>> However, *.124 is not available for full time use, so we went back to
>>> *.126 and applied the SSH rule, but got the same result as before.
>>> Here is the weird part, when we port forward *.126 to one of the SSH
>>> servers on one of the Cisco routers (rather than my machine) SSH works
>>> fine. The IT guy thinks that the issue is coming from the NAT b/c we
>>> are using the same firewall rule that worked w/ 1-1.
>>>
>>> Question, what could be causing the Ubuntu SSH server to hang ONLY
>>> when larger amounts of data are being sent, but not affect the Cisco
>>> SSH servers?
>>>
>>> Thanks,
>>>
>>> -O
>>>
>>
>> What exactly do you mean by the "Cisco SSH rule" versus "opening port
>> 22"?  Assuming it's not doing any sort of MITM work (which would be bad)
>> and is just passing packets, I'd start by looking at your MTU.  Most SSH
>> packets are much smaller than your MTU, but a large amount of data could
>> well exceed this.  If the firewall is dropping fragments, you would get
>> a behavior similar to what you've described.
>>
>> Also, try using wireshark to see what's going on in the connection, or
>> have your IT guy do it from his end (he could do it via a mirror port on
>> a switch, for example).
>>
>> --
>> David Tomaschik, RHCE
>> Ubuntu Community Member
>> Moderator, LinuxQuestions.org
>> GPG: 0x6D428695
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>